WO2021135382A1 - 一种网络安全防护方法及防护设备 - Google Patents
一种网络安全防护方法及防护设备 Download PDFInfo
- Publication number
- WO2021135382A1 WO2021135382A1 PCT/CN2020/114685 CN2020114685W WO2021135382A1 WO 2021135382 A1 WO2021135382 A1 WO 2021135382A1 CN 2020114685 W CN2020114685 W CN 2020114685W WO 2021135382 A1 WO2021135382 A1 WO 2021135382A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- address
- risk
- data stream
- source
- attribute information
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Definitions
- This application relates to the field of communication technology, and more specifically, to network security protection methods and protection equipment.
- the security protection equipment can provide network security defense services for various types of business servers, so as to protect the business servers from hacker attacks.
- the security protection device is set between the client and the protected business server. A large number of data streams generated by the client will enter the security protection device first. The security protection device will filter out abnormal data streams to obtain a safe data stream. The secure data flow enters the business server.
- a data stream (or also called a message stream) is a series of messages from a source computer to a destination, where the destination is a computer, or a multicast group, or a broadcast domain .
- security protection equipment uses a blacklist mechanism to filter data streams.
- the security protection device stores a preset IP (Internet protocol, Internet Protocol) threat database, and the IP threat database includes an IP address.
- IP Internet protocol, Internet Protocol
- the traffic protection system will determine whether the source IP addresses in these data streams exist in the IP threat database. If the source IP address A of one of these data streams exists in the IP threat database, the security protection device will consider the IP address A to be an offensive IP address, and the security protection device will block the data stream. Thereby protecting the business server from hacker attacks.
- the security protection device determines that the IP address that is not in the IP threat database is safe, and will not block the data flow whose source IP address is an IP address that does not belong to the IP threat database.
- the existing security protection equipment may miss many offensive data streams, resulting in the existing The protection accuracy of safety protection equipment is not high.
- the embodiments of the present application provide a network security protection method and protection equipment to accurately identify whether a data stream is offensive.
- the embodiments of the present application provide a network security protection method.
- the method includes the following steps: receiving a first data stream, the first data stream including a source IP address and a destination IP address, the source IP address is the IP address of the first electronic device, and the destination IP address is the IP address of the first server; determining the source The first device attribute information corresponding to the IP address, the first device attribute information includes the first device type and the first service type, the first device type is the device type of the first electronic device, and the first service type is the first device type supporting access The type of service; determine the second device attribute information corresponding to the destination IP address, the second device attribute information includes the second device type and the second service type, the second device type is the type of the device that is allowed to access the first server, and the second service type The type of service provided for the first server; when the first device attribute information matches the second device attribute information, forward the first data stream; when the first device attribute information does not match the second device attribute information, block The first data stream.
- the first device attribute information matches the second device attribute information, it means that the first electronic device meets the requirements of the first server, that is, the first data stream is a safe and non-aggressive data stream, so Forward the first data stream; if the attribute information of the first device does not match the attribute information of the second device, it means that the first electronic device does not meet the requirements of the first server, that is, the first data stream is an insecure and offensive data stream, Therefore, the first data stream needs to be blocked. Therefore, the solution provided by the embodiment of the present application can accurately identify whether the data stream sent by the electronic device is offensive, and block the offensive data stream, so that the secure data stream enters the service server. Therefore, the embodiment of the present application provides The protection accuracy rate of the scheme is higher.
- the method before determining the first device attribute information corresponding to the source IP address, the method further includes: determining a detection identifier corresponding to the destination IP address in the first data stream, The detection identification is the first identification or the second identification, the first identification is used to indicate that the first server is currently being attacked, and the second identification is used to indicate that the first server is not currently being attacked; when the detection identification is the first identification, the source is determined The risk value corresponding to the IP address; when the risk value corresponding to the source IP address is within the first risk range, the first data stream is blocked; when the risk value corresponding to the source IP address is within the second risk range, the source IP is determined In the step of the first device attribute information corresponding to the address, the minimum value in the first risk range is greater than the maximum value in the second risk range, or the minimum value in the second risk range is greater than the maximum value in the first risk range; The risks indicated by the risk values in a risk range are all higher than the risks indicated by the risk values in the second risk
- the detection identifier corresponding to the destination IP address when the detection identifier corresponding to the destination IP address is the first identifier, it indicates that the first server is currently being attacked, so the risk value corresponding to the source IP address needs to be determined.
- the detection identifier corresponding to the destination IP address is the second identifier, it means that the first server is not currently attacked, so there is no need to detect whether the first data stream is an offensive data stream.
- the first data stream can be directly forwarded, and the execution is omitted.
- the step of detecting whether the first data stream is an offensive data stream thereby saving the processing resources of the protection equipment, reducing the transmission delay caused by performing the detection of whether the first data stream is an offensive data stream, and improving service response Timeliness.
- the protection device When the risk value corresponding to the source IP address is within the first risk range, it means that the source IP address is more likely to attack the first server. Therefore, the protection device will block the first data stream, which can prevent the first server from being A data stream attack. When the risk value corresponding to the source IP address is within the second risk range, it means that the source IP address is less likely to attack the first server, but the first data stream cannot be considered safe, so the protective equipment will continue to detect the first server. Whether the data stream is offensive, if it is determined that the first data stream is offensive, the first data stream can be blocked, so that the first server can be prevented from being attacked by the first data stream.
- the method before determining the first device attribute information corresponding to the source IP address, the method further includes: determining the risk value corresponding to the source IP address; When the risk value is within the first risk range, the first data stream is blocked; when the risk value corresponding to the source IP address is within the second risk range, the step of determining the attribute information of the first device corresponding to the source IP address is executed, the first The minimum value in the risk range is greater than the maximum value in the second risk range, or the minimum value in the second risk range is greater than the maximum value in the first risk range; the risks indicated by the risk values in the first risk range are higher than The risk indicated by the risk value within the second risk range.
- the protection device when the risk value corresponding to the source IP address is within the first risk range, it indicates that the source IP address is more likely to attack the first server. Therefore, the protection device will block the first data stream, thereby avoiding the first server Attacked by the first data stream.
- the risk value corresponding to the source IP address is within the second risk range, it means that the source IP address is less likely to attack the first server, but the first data stream cannot be considered safe, so the protective equipment will continue to detect the first server.
- the data stream is offensive, if it is determined that the first data stream is offensive, the first data stream can be blocked, so that the first server can be prevented from being attacked by the first data stream.
- the method before determining the first device attribute information corresponding to the source IP address, the method further includes: determining a detection identifier corresponding to the destination IP address in the first data stream, The detection identification is the first identification or the second identification, the first identification is used to indicate that the first server is currently being attacked, and the second identification is used to indicate that the first server is not currently being attacked; when the detection identification is the first identification, a determination is performed The step of the first device attribute information corresponding to the source IP address; when the detection identifier is the second identifier, the first data stream is forwarded.
- the detection identifier corresponding to the destination IP address is the first identifier
- the detection identifier corresponding to the destination IP address is the second identifier, it means that the first server is not currently attacked, so there is no need to detect whether the first data stream is an offensive data stream.
- the first data stream can be directly forwarded, and the execution is omitted.
- the step of detecting whether the first data stream is an offensive data stream thereby saving the processing resources of the protection equipment, reducing the transmission delay caused by performing the detection of whether the first data stream is an offensive data stream, and improving service response Timeliness.
- the embodiments of the present application provide a network security protection method.
- the method includes the following steps: receiving a first data stream, the first data stream including a source IP address and a destination IP address, the source IP address is the IP address of the first electronic device, and the destination IP address is the IP address of the first server; determining the source The risk value corresponding to the IP address; when the risk value corresponding to the source IP address is within the first risk range, block the first data stream; when the risk value corresponding to the source IP address is within the second risk range, according to the source IP address Determine the forwarding or blocking of the first data stream with the destination IP address, the minimum value in the first risk range is greater than the maximum value in the second risk range, or the minimum value in the second risk range is greater than the maximum value in the first risk range Value; the risk indicated by the risk value in the first risk range is higher than the risk indicated by the risk value in the second risk range.
- the protective device when the risk value corresponding to the source IP address is within the first risk range, it indicates that the source IP address is more likely to attack the first server, so the protective device will block the first data stream, so that Prevent the first server from being attacked by the first data stream.
- the risk value corresponding to the source IP address is within the second risk range, it means that the source IP address is less likely to attack the first server, but the first data stream cannot be considered safe, so the protective equipment will continue to detect the first server.
- the data stream is offensive, if it is determined that the first data stream is offensive, the first data stream can be blocked, so that the first server can be prevented from being attacked by the first data stream.
- determining forwarding or blocking the first data stream according to the source IP address and the destination IP address includes: determining the first device attribute information corresponding to the source IP address, and A device attribute information includes a first device type and a first service type, the first device type is the device type of the first electronic device, and the first service type is the service type supported by the first device type; the second device type corresponding to the destination IP address is determined Device attribute information, the second device attribute information includes the second device type and the second service type, the second device type is the device type that allows access to the first server, and the second service type is the service type provided by the first server; When the attribute information of a device matches the attribute information of the second device, the first data stream is forwarded; when the attribute information of the first device does not match the attribute information of the second device, the first data stream is blocked.
- the first device attribute information matches the second device attribute information, it means that the first electronic device meets the requirements of the first server, that is, the first data stream is a safe and non-aggressive data stream, so the first data is forwarded Stream; if the attribute information of the first device does not match the attribute information of the second device, it means that the first electronic device does not meet the requirements of the first server, that is, the first data stream is an insecure and offensive data stream, so it needs to be blocked The first data stream. Therefore, the solution provided by the embodiment of the present application can accurately identify whether the data stream sent by the electronic device is offensive, and block the offensive data stream, so that the secure data stream enters the service server. Therefore, the embodiment of the present application provides The protection accuracy rate of the scheme is higher.
- the method before determining the first device attribute information corresponding to the source IP address, the method further includes: determining the detection identifier corresponding to the destination IP address in the first data stream, The detection identification is the first identification or the second identification, the first identification is used to indicate that the first server is currently being attacked, and the second identification is used to indicate that the first server is not currently being attacked; when the detection identification is the first identification, a determination is performed The step of the first device attribute information corresponding to the source IP address; when the detection identifier is the second identifier, the first data stream is forwarded.
- the detection identifier corresponding to the destination IP address is the first identifier
- the detection identifier corresponding to the destination IP address is the second identifier, it means that the first server is not currently attacked, so there is no need to detect whether the first data stream is an offensive data stream.
- the first data stream can be directly forwarded, and the execution is omitted.
- the step of detecting whether the first data stream is an offensive data stream thereby saving the processing resources of the protection equipment, reducing the transmission delay caused by performing the detection of whether the first data stream is an offensive data stream, and improving service response Timeliness.
- the embodiments of the present application provide a protection device.
- the protection device includes a network interface, a memory, and a processor connected to the memory.
- the memory is used to store instructions
- the processor is used to execute the instructions so that the network device executes the first
- the method in any possible implementation manner of the first aspect, and the second aspect or the method in any possible implementation manner of the second aspect refer to the detailed description above for details, and details are not repeated here.
- an embodiment of the present application provides a protective device that has the function of implementing the method in the first aspect, any one of the possible implementation manners of the first aspect, and the method in the second aspect. Or the function of any possible implementation of the second aspect above.
- the function can be realized by hardware, or by hardware executing corresponding software.
- the hardware or software includes one or more modules corresponding to the above-mentioned functions.
- an embodiment of the present application provides a computer storage medium for storing computer software instructions used for the above-mentioned protective equipment, which includes a possible implementation for executing the above-mentioned first aspect and the above-mentioned first aspect Way, the above-mentioned second aspect, or the program designed by any one of the possible implementations of the above-mentioned second aspect.
- the embodiments of the present application provide a computer program product containing instructions, which when run on a computer, cause the computer to execute the methods described in the foregoing aspects.
- an embodiment of the present application provides a chip including a memory and a processor, the memory is used to store computer instructions, and the processor is used to call and run the computer instructions from the memory to execute the first aspect and the first aspect.
- the method in any one of the possible implementation manners, the second aspect, or the method in any one of the possible implementation manners of the second aspect.
- FIG. 1 is a schematic diagram of a scenario to which the network security protection method provided by an embodiment of the application is applicable;
- FIG. 2 is a flowchart of a network security protection method provided by an embodiment of this application.
- FIG. 3 is a schematic diagram of another scenario to which the network security protection method provided by an embodiment of the application is applicable;
- FIG. 4 is a schematic diagram of another scenario to which the network security protection method provided by the embodiment of the application is applicable;
- FIG. 5 is a flowchart of another network security protection method provided by an embodiment of this application.
- FIG. 6 is a flowchart of another network security protection method provided by an embodiment of this application.
- FIG. 7 is a flowchart of another network security protection method provided by an embodiment of this application.
- FIG. 8 is a flowchart of another network security protection method provided by an embodiment of this application.
- FIG. 9 is a schematic structural diagram of a protective device provided by an embodiment of the present application.
- Fig. 10 is a schematic structural diagram of another protective device provided by an embodiment of the present application.
- FIG. 1 is a schematic diagram of a scenario to which the network security protection method provided by an embodiment of the application is applicable.
- the applicable scenarios of the network security protection method provided in the embodiments of the present application are not limited to the example shown in FIG. 1.
- the protection device 100 includes but is not limited to devices such as firewalls and security gateways.
- the protective device 100 is provided between a plurality of electronic devices (A1, A2, ..., An) and at least one service server.
- At least one business server is multiple business servers (B1, B2,..., Bm) as shown in FIG. 1, or a cluster composed of multiple business servers.
- multiple data streams sent by multiple electronic devices (A1, A2, ..., An) will first enter the protection device 100, and the protection device 100 will identify and filter the multiple data streams.
- the protection device 100 will block offensive data streams and forward (also known as "release") non-offensive data streams.
- the protection device can ensure access to multiple service servers (B1, B2,..., Bm). )
- the data flow is relatively safe.
- FIG. 2 is a flowchart of a network security protection method provided by an embodiment of the application.
- the network security protection method shown in FIG. 2 includes the following steps S101 to S105.
- the safety protection method shown in FIG. 2 is executed by the protection device 100 in FIG. 1.
- the protection device receives the data stream of the electronic device accessing the service server.
- a data stream includes multiple data packets, each of the multiple data packets of a data stream includes a source IP address and a destination IP address, and any two data packets among the multiple data packets of a data stream The source IP address and destination IP address included are the same.
- the first data stream includes a source IP address and a destination IP address
- the source IP address is the IP address of the first electronic device
- the destination IP address is the IP address of the first server.
- the electronic device A1 is a terminal controlled by a hacker.
- the electronic device A1 generates an offensive data stream X1, and the data stream X1 is used to attack the service server B1.
- the data stream X1 includes the source IP address (10.10.10.11) and the destination IP address (20.20.20.21), the source IP address (10.10.10.11) is the IP address of the electronic device A1, and the destination IP address (20.20.20.21) is the business server B1 IP address.
- the protection device 100 After the protection device 100 receives the data stream X1, the protection device 100 will parse the data stream X1 and obtain the source IP address (10.10.10.11) and the destination IP address (20.20.20.21) in the data stream X1.
- the first device attribute information includes a first device type and a first service type, the first device type is a device type of the first electronic device, and the first service type is a service type that the first device type supports access.
- the first device type corresponding to the source IP address may be determined first, and then the first service type corresponding to the first device type may be determined.
- the first device type corresponding to the source IP address is determined by a third-party server.
- the third-party server may be a Shodan server, a ZoomEye server, or a FoFA server.
- the "device types" mentioned in the embodiments of this application include but are not limited to: bridges, broadband routers, firewalls, hubs, load balancers, routers, switches, game consoles, media devices, power supplies, printers, print servers, proxy servers , Remote management server, security miscellaneous server, dedicated server, storage miscellaneous server, telecommunication miscellaneous, terminal server, voip (Voice over Internet Protocol) adapter, voip phone, web camera, phone and terminal.
- bridges broadband routers, firewalls, hubs, load balancers, routers, switches, game consoles, media devices, power supplies, printers, print servers, proxy servers , Remote management server, security miscellaneous server, dedicated server, storage miscellaneous server, telecommunication miscellaneous, terminal server, voip (Vo
- the "device type” can be further divided into multiple levels of large and small categories.
- the device types include three major categories, namely "gateway/network device category”, "independent device category” and "personal device category”.
- gateway/network equipment further includes: bridges, broadband routers, firewalls, hubs, load balancers, routers, switches;
- independent equipment further includes: game consoles, media devices, power supplies, printers, print servers , Proxy server, remote management server, security miscellaneous server, dedicated server, storage miscellaneous server, telecommunications miscellaneous, terminal server, voip (Voice over Internet Protocol) adapter, voip phone, web camera;
- "personal equipment category” includes Phone and terminal.
- FIG. 3 is a schematic diagram of another scenario to which the network security protection method provided by the embodiment of this application is applicable.
- the protection device 100 sends a query request to the third-party server 200, and the query request includes the source IP address (10.10.10.11).
- the third-party server 200 After the third-party server 200 receives the query request, the third-party server 200 will query the device type (terminal) corresponding to the source IP address (10.10.10.11), and set the device type (terminal) corresponding to the source IP address (10.10.10.11) Send to the protective equipment 100.
- the third-party server 200 Take the third-party server 200 as a Shodan server as an example.
- the Shodan server provides services through the API interface "https://api.shodan.io/”.
- the protection device 100 receives the JSON data returned by the Shodan server, and parses the JSON data to the field devicetype describing the corresponding device type information, and obtains "terminal" from the content of the field devicetype, which is the device type corresponding to the IP address (10.10.10.11) For the terminal.
- open source scanning software is used to determine the first device type corresponding to the source IP address.
- the open source scanning software can be Nmap, Masscan or IVRE.
- FIG. 4 is a schematic diagram of another scenario to which the network security protection method provided by an embodiment of this application is applicable. Assuming that an open source scanning software A is pre-installed in the protection device 100, the protection device 100 can input the source IP address (10.10.10.11) into the open source software A, and the open source software A will output the device corresponding to the source IP address (10.10.10.11) Type (terminal).
- IVRE saves the scan result data in the MongoDB database.
- the scan result data contains the field "service_devicetype", which stores the device type corresponding to the IP address (10.10.10.11).
- the protective device 100 obtains the device type corresponding to the IP address (10.10.10.11) by querying the MongoDB database.
- the mapping relationship between the device type and the service type may be established in advance, and the mapping relationship between the device type and the service type may be stored in the protection device .
- the protective device can then determine the first service type corresponding to the first device type based on the mapping relationship between the device type and the service type.
- Table 1 shows the mapping relationship between device types and service types. It can be known from Table 1 that each device type corresponds to at least one service type.
- service types include, but are not limited to, website visits, terminal (mobile) games, video/audio instant messaging, Internet of Things (IOT) control, and API services (take the aforementioned Shodan service as an example) and many more.
- service type C1-service type C4, service type D1-service type D4, and service type E1-service type E5 to refer to different service types.
- Equipment type business type terminal Business type C1, business type C2, business type C3, and business type C4 phone Business type D1, business type D2, and business type D3 router
- the second device attribute information includes a second device type and a second service type
- the second device type is a device type allowed to access the first server
- the second service type is a service type provided by the first server.
- the protection device can pre-establish a mapping relationship between the destination IP address, the device type allowed to be accessed by the service server, and the service type of the service server based on the information provided by multiple service servers (B1, B2,..., Bm). Then, the device type and service type corresponding to the destination IP address are determined based on the mapping relationship.
- Table 2 shows the mapping relationship between the destination IP address, device type and service type.
- the protection device 100 determines the destination IP address (20.20.20.21) according to Table 2.
- the corresponding device types include terminals, phones, and game consoles, and the corresponding service type is service type D1 .
- the terminal, the telephone and the game console are the device types that allow access to the service server B1, and the service type D1 is the service type provided by the service server B1.
- S105 Block the first data stream when the attribute information of the first device does not match the attribute information of the second device.
- the protective device determines whether the first device attribute information matches the second device attribute information. If the first device attribute information matches the second device attribute information, it means that the first electronic device meets the requirements of the first server, so the first data stream is safe, and the protective device will forward the first data stream.
- the protection device 100 determines that the device type corresponding to the source IP address (10.10.10.11) is a terminal, and that the device type is determined to be a terminal according to Table 1.
- the service type includes business Type C1, service type C2, service type C3, and service type C4 indicate that the device type of the electronic device A1 is a terminal, and the service types supported by the terminal include service type C1, service type C2, service type C3, and service type C4.
- the protection device 100 determines from Table 2 that the device types corresponding to the destination IP address (20.20.20.21) include terminals, phones, and game consoles, and the corresponding service type is service type D1, indicating that the type of equipment allowed to be accessed by service server B1 is terminal, For telephones and game consoles, the service type of the service server B1 is service type D1.
- the protective device 100 determines that the device type (terminal) of the electronic device A1 matches the device types (terminals, phones, and game consoles) allowed to be accessed by the service server B1, and determines the types of services that the electronic device A1 supports (service type C1, service type) C2, service type C3, and service type C4) do not match the service type (service type D1) of the service server B1, so the protection device 100 will block the data flow X1.
- the first device attribute information includes the first device type and the first service type
- the second device attribute information includes the second device type and the second service type.
- “the attribute information of the first device matches the attribute information of the second device” includes a variety of situations, which are respectively introduced below.
- the first device type is the same as the second device type
- the first service type is the same as the second service type
- the first equipment type is equipment type G1
- the second equipment type is equipment type G1
- the first service type is service type H1
- the second service type is service type H1.
- the first device type is the same as the second device type, and the first service type includes the second service type.
- the first device type is device type G1
- the second device type is device type G1
- the first service type includes service type H1 and service type H2
- the second service type is service type H1.
- the first device type is the same as the second device type, and the second service type includes the first service type.
- the first device type is device type G1
- the second device type is device type G1
- the second service type includes service type H1 and service type H2
- the first service type is service type H1.
- the first device type includes the second device type, and the first service type is the same as the second service type.
- the first equipment type includes equipment type G1 and equipment type G2, the second equipment type is equipment type G1, the first service type is service type H1, and the second service type is service type H1.
- the first device type includes the second device type
- the first service type includes the second service type
- the first equipment type includes equipment type G1 and equipment type G2
- the second equipment type is equipment type G1
- the first service type includes service type H1 and service type H2
- the second service type is service type H1.
- the first device type includes the second device type
- the second service type includes the first service type
- the first equipment type includes equipment type G1 and equipment type G2
- the second equipment type is equipment type G1
- the second service type includes service type H1 and service type H2
- the first service type is service type H1.
- the second device type includes the first device type, and the first service type is the same as the second service type.
- the second equipment type includes equipment type G1 and equipment type G2, the first equipment type is equipment type G1, the first service type is service type H1, and the second service type is service type H1.
- the second device type includes the first device type
- the first service type includes the second service type
- the second equipment type includes equipment type G1 and equipment type G2
- the first equipment type is equipment type G1
- the first service type includes service type H1 and service type H2
- the second service type is service type H1.
- the second device type includes the first device type
- the second service type includes the first service type
- the second device type includes device type G1 and device type G2
- the first device type is device type G1
- the second service type includes service type H1 and service type H2
- the first service type is service type H1.
- first, third, seventh, and ninth cases can be understood as the first device type belongs to a subset of the second device type, and the first service type belongs to a subset of the second service type.
- the first case, the second case, the fourth case, and the fifth case can be understood as the second device type belongs to a subset of the first device type, and the second service type belongs to a subset of the first service type.
- the first case, the second case, the seventh case, and the eighth case can be understood as the first device type belongs to a subset of the second device type, and the second service type belongs to a subset of the first service type.
- first, third, fourth, and sixth cases can be understood as the second device type belongs to a subset of the first device type, and the first service type belongs to a subset of the second service type.
- the network security protection method provided by the embodiment of the present application obtains the source IP address and the destination IP address in the first data stream, and then determines the first device attribute information and destination corresponding to the source IP address The second device attribute information corresponding to the IP address is finally determined to forward or block the first data stream according to whether the first device attribute information matches the second device attribute information.
- the core of the embodiments of the present application is to determine whether the device type of the first electronic device matches the device type allowed to be accessed by the first server, and to determine whether the service type supported by the first device type matches the service type of the first server.
- the device type and service type match, it means that the first electronic device meets the requirements of the first server, that is, the first data stream is safe, that is, the first data stream is a non-aggressive data stream, so the first data stream is forwarded . If there is a mismatch between the device type and the service type, it means that the first electronic device does not meet the requirements of the first server, that is, the first data stream is insecure, that is, the first data stream is an offensive data stream, so it is necessary Block the first data stream. Therefore, the solution provided by the embodiment of the present application can accurately identify whether the data stream sent by the electronic device is offensive, and block the offensive data stream, so that the secure data stream enters the service server. Therefore, the embodiment of the present application provides The protection accuracy rate of the scheme is relatively high.
- FIG. 5 is a flowchart of another network security protection method provided by an embodiment of this application.
- the method shown in FIG. 5 may include steps S201 to S209.
- the safety protection method shown in FIG. 5 is executed by the protection device 100 in FIG. 1.
- S202 Determine the detection identifier corresponding to the destination IP address in the first data stream.
- the detection identifier is a first identifier or a second identifier, the first identifier is used to indicate that the first server is currently being attacked, and the second identifier is used to indicate that the first server is not currently being attacked.
- the protective device 100 monitors the operation status of multiple service servers (B1, B2,..., Bm). Specifically, the protection device 100 can monitor the resource occupancy rate of each of the multiple business servers (B1, B2,..., Bm), such as the occupancy rate of the central processing unit (CPU, central processing unit), memory occupancy rate, Bandwidth occupancy rate and so on.
- the resource occupancy rate of each of the multiple business servers (B1, B2,..., Bm) such as the occupancy rate of the central processing unit (CPU, central processing unit), memory occupancy rate, Bandwidth occupancy rate and so on.
- the resource occupancy rate of the business server B1 is between 20% and 50%, and the business server B1 will send the IP address (20.20.20.21) and the second identifier to the protection device 100;
- the resource occupancy rate of the business server B1 is between 60% and 80%, and the business server B1 will send the IP address (20.20.20.21) and the first identifier to the protection device 100.
- the protection device 100 can also monitor the number of IP addresses accessed at the same time for each of the multiple service servers (B1, B2,..., Bm), that is, different IP addresses that access each server at the same time quantity. Assuming that when the business server B1 is not attacked by hackers, the number of IP addresses accessing the business server B1 at the same time is between 100,000 and 200,000, and the business server B1 will send the IP address (20.20.20.21) and the IP address (20.20.20.21) and The second logo. When the business server B1 is attacked by hackers, the number of IP addresses that access the business server B1 at the same time is between 300,000 and 400,000. The business server B1 will send the IP address (20.20.20.21) and the first IP address to the protection device 100. One logo.
- Multiple service servers (B1, B2,..., Bm) can periodically send their own IP address and detection identification to the protection device 100, and the protection device 100 can store multiple service servers (B1, B2,..., Bm) The IP address and detection identifier sent by each service server.
- Table 3 shows the mapping relationship between the destination IP address and the detection identifier. Assuming that the first row of data shown in Table 3 is the data sent by the business server B1 to the protection device 100, it means that the business server B1 is currently being attacked; assuming that the second row of data shown in Table 3 is the data that the business server B2 sends to the protection device 100 The data sent indicates that the service server B2 is currently not attacked.
- the protection device 100 uses other methods to determine the attack situation of each of the multiple service servers (B1, B2,..., Bm). For example, the protective device 100 sends a test message to each service server and receives a corresponding response message. The protection device 100 calculates the time difference between the time when the test message is sent and the time when the response message is received, and determines the attack situation of the service server based on the comparison result between the time difference and the predetermined delay threshold. For example, the protection device 100 sends a test message to the service server B1, and receives the response message returned by the server B1. The protection device 100 calculates that the time difference between the time when the test message is sent and the time when the response message is received is 0.05 seconds ( second). The predetermined delay threshold is 0.8s.
- the protection device 100 determines that the server B1 is not currently attacked, and further determines that the server B1 corresponds to the second identifier. For another example, the protection device 100 sends a test message to the service server B2, and receives a response message returned by the server B2. The protection device 100 calculates that the time difference between the time when the test message is sent and the time when the response message is received is 1s . Since the time difference at this time is less than the predetermined delay threshold, the protection device 100 determines that the server B2 is currently being attacked, and further determines that the server B2 corresponds to the first identifier.
- the protective device 100 may also use other methods of determination, which will not be listed here.
- S203 Determine whether the detection identifier corresponding to the destination IP address is the first identifier or the second identifier, and when the detection identifier corresponding to the destination IP address is the first identifier, execute S204; when the detection identifier corresponding to the destination IP address is the second identifier, Go to S208.
- S202 and S203 are optional steps.
- the detection identifier corresponding to the destination IP address is the first identifier, it indicates that the first server is currently being attacked, so the risk value corresponding to the source IP address needs to be determined.
- the detection identifier corresponding to the destination IP address is the second identifier, it means that the first server is not currently attacked, so there is no need to detect whether the first data stream is an offensive data stream.
- the first data stream can be directly forwarded, and the execution is omitted.
- the step of detecting whether the first data stream is an offensive data stream thereby saving the processing resources of the protection equipment, reducing the transmission delay caused by performing the detection of whether the first data stream is an offensive data stream, and improving service response Timeliness.
- the risks indicated by the risk values in the first risk range are all higher than the risks indicated by the risk values in the second risk range.
- the minimum value in the first risk range is greater than the maximum value in the second risk range, for example, suppose that the larger the preset risk value, the higher the indicated risk, and the smaller the risk value, the lower the indicated risk. Then the first risk range can be set as an integer between 6 and 10, and the second risk range can be set as an integer between 1 and 5.
- the minimum value "6" in the first risk range is greater than the second risk range
- the maximum value "5" in the first risk range indicates that the risk is higher than the risk value in the second risk range (integer between 1 and 5). risk.
- the minimum value in the second risk range is greater than the maximum value in the first risk range, for example, suppose that the larger the preset risk value, the lower the indicated risk, and the smaller the risk value, the higher the indicated risk. Then you can set the first risk range as an integer between 1 and 5, and the second risk range as an integer between 6 and 10.
- the minimum value "6" in the second risk range is greater than the first risk range.
- the maximum value "5" in the first risk range indicates that the risk is higher than the risk value in the second risk range (integer between 6 and 10). risk.
- the risk value corresponding to the source IP address is determined based on the IP address attacking the service server in the historical time period.
- the risk value of the source IP address A can be increased; for another example, the source IP address A has a low frequency of attacking the business server in the historical time period , Then the risk value of IP address A can be lowered; for another example, the source IP address A has not attacked the business server in the historical time period, then the risk value of IP address A can be set to the minimum value.
- the risk value of the source IP address A can be lowered; for another example, the source IP address A has a low frequency of attacking the business server in the historical time period , Then the risk value of IP address A can be increased; for another example, the source IP address A has not attacked the service server in the historical time period, then the risk value of IP address A can be set to the maximum value.
- the risk value corresponding to the source IP address is within the first risk range, it means that the source IP address is more likely to attack the first server, that is, the first data stream is a more dangerous data stream, and the protective equipment will block the first server. Data stream; if the risk value corresponding to the source IP address is within the second risk range, it means that the source IP address is less likely to attack the first server, that is, the first data stream is not a more dangerous data stream, but it cannot It is considered that the first data stream is safe, so the protective equipment will continue to detect whether the first data stream is offensive.
- S204 is an optional step.
- the protective device will block the first data stream, which can avoid the first data stream.
- a server was attacked by the first data stream.
- the risk value corresponding to the source IP address is within the second risk range, it means that the source IP address is less likely to attack the first server, but the first data stream cannot be considered safe, so the protective equipment will continue to detect the first server.
- the data stream is offensive, if it is determined that the first data stream is offensive, the first data stream can be blocked, so that the first server can be prevented from being attacked by the first data stream.
- S205 For the specific implementation of S205, refer to the description of S102 in the embodiment shown in FIG. 2.
- S207 Determine whether the first device attribute information matches the second device attribute information, and if so, perform S208; otherwise, perform S209.
- FIG. 6 is a flowchart of another network security protection method provided by an embodiment of the application.
- the method shown in FIG. 6 may include steps S301 to S307.
- the safety protection method shown in FIG. 6 is executed by the protection device 100 in FIG. 1.
- S302 is an optional step.
- S302 when the risk value corresponding to the source IP address is within the first risk range, it indicates that the source IP address is more likely to attack the first server, so the protection device will directly block the first data stream, and omit the detection Whether the first data stream is offensive, so as to improve the timeliness of preventing attacks.
- the risk value corresponding to the source IP address is within the second risk range, it means that the source IP address is less likely to attack the first server, but the first data stream cannot be considered safe, so the protective equipment will continue to detect the first server.
- the data stream is offensive, if it is determined that the first data stream is offensive, the first data stream can be blocked, so that the first server can be prevented from being attacked by the first data stream.
- S305 Determine whether the first device attribute information matches the second device attribute information, and if so, perform S306; otherwise, perform S307.
- FIG. 7 is a flowchart of another network security protection method provided by an embodiment of the application.
- the method shown in FIG. 7 may include steps S401 to S408.
- the safety protection method shown in FIG. 7 is executed by the protection device 100 in FIG. 1.
- S402 Determine the detection identifier corresponding to the destination IP address in the first data stream.
- S403 is an optional step.
- the detection identifier corresponding to the destination IP address is the first identifier, it indicates that the first server is currently being attacked. Therefore, it is necessary to detect whether the first data stream is an offensive data stream. If it is determined that the first data stream has If it is aggressive, the first data stream can be blocked, so that the first server can be prevented from being attacked by the first data stream.
- the detection identifier corresponding to the destination IP address is the second identifier, it means that the first server is not currently attacked, so there is no need to detect whether the first data stream is an offensive data stream.
- the first data stream can be directly forwarded, and the execution is omitted.
- the step of detecting whether the first data stream is an offensive data stream thereby saving the processing resources of the protection equipment, reducing the transmission delay caused by performing the detection of whether the first data stream is an offensive data stream, and improving service response Timeliness.
- S405 Determine the attribute information of the second device corresponding to the destination IP address.
- S406 Determine whether the first device attribute information matches the second device attribute information, and if so, execute S407; otherwise, execute S408.
- FIG. 8 is a flowchart of another network security protection method provided by an embodiment of this application.
- the method shown in FIG. 8 may include steps S501 to S504.
- the safety protection method shown in FIG. 8 is executed by the protection device 100 in FIG. 1.
- S502 Determine that the risk value corresponding to the source IP address is within the first risk range or within the second risk range, and if the risk value corresponding to the source IP address is within the first risk range, execute S503; if the risk value corresponding to the source IP address is Within the second risk range, execute S504.
- S502 is an optional step.
- S502 when the risk value corresponding to the source IP address is within the first risk range, it indicates that the source IP address is more likely to attack the first server. Therefore, the protective device will block the first data stream, thereby avoiding the first data stream. A server was attacked by the first data stream.
- the risk value corresponding to the source IP address is within the second risk range, it means that the source IP address is less likely to attack the first server, but the first data stream cannot be considered safe, so the protective equipment will continue to detect the first server.
- the data stream is offensive, if it is determined that the first data stream is offensive, the first data stream can be blocked, so that the first server can be prevented from being attacked by the first data stream.
- S504 Determine to forward or block the first data stream according to the source IP address and the destination IP address.
- S504 includes S402 to S408 shown in FIG. 7, for the specific implementation of S504, please refer to S402 to S408 shown in FIG. 7.
- FIG. 9 is a schematic structural diagram of a protective device provided by an embodiment of the present application.
- the protective device shown in FIG. 9 is the protective device 100 in the application scenarios shown in FIG. 1, FIG. 3, and FIG. 4.
- the protection device includes a processor 131, a memory 132, and a network interface 133.
- the processor 131 may be one or more CPUs, and the CPU may be a single-core CPU or a multi-core CPU.
- the memory 132 includes but is not limited to random access memory (RAM), read only memory (ROM), erasable programmable read-only memory, EPROM or flash Memory), flash memory, or optical memory, etc.
- RAM random access memory
- ROM read only memory
- EPROM erasable programmable read-only memory
- flash memory or optical memory, etc.
- the code of the operating system is stored in the memory 132.
- the network interface 133 may be a wired interface, such as a fiber distributed data interface (FDDI) or a Gigabit Ethernet (GE) interface; the network interface 133 may also be a wireless interface.
- the network interface 133 is used to receive the data stream from the internal network and/or the external network, and communicate with the switch in the internal network according to the instruction of the processor 131.
- the processor 131 implements the method in the foregoing embodiment by reading instructions stored in the memory 132, or the processor 131 may also implement the method in the foregoing embodiment by using internally stored instructions.
- the processor 131 implements the method in the foregoing embodiment by reading the instructions stored in the memory 132
- the memory 132 stores the instruction for implementing the method provided in the foregoing embodiment of the present application.
- the network interface 133 is configured to receive a first data stream.
- the first data stream includes a source IP address and a destination IP address.
- the source IP address is the IP address of the first electronic device, and the destination IP address is the IP address of the first server.
- the protection device is caused to perform the following operations: determine the first device attribute information corresponding to the source IP address, the first device attribute information includes the first device type and the first service type, the first device The type is the device type of the first electronic device, and the first service type is the service type supported by the first device type; the second device attribute information corresponding to the destination IP address is determined, and the second device attribute information includes the second device type and the second device type.
- the second device type is the device type allowed to access the first server, and the second service type is the service type provided by the first server; when the first device attribute information matches the second device attribute information, the network interface is indicated 133 forwards the first data stream; when the attribute information of the first device does not match the attribute information of the second device, the first data stream is blocked.
- At least one processor 131 further executes the network security protection method described in the foregoing method embodiment according to several correspondence tables (such as Table 1 to Table 3 in the previous embodiment) stored in the memory 132.
- Table 1 to Table 3 in the previous embodiment
- the protection device further includes a bus 134, and the above-mentioned processor 131 and the memory 132 are connected to each other through the bus 134, and may also be connected to each other in other ways.
- the protective device further includes an input device 135 and an output device 136.
- the input device 135 is used to input data to the protective device, and the output device 136 is used to output the processing result of the protective device.
- the input device 135 includes, but is not limited to, a keyboard, a touch screen, a microphone, and the like.
- the output device 136 includes, but is not limited to, a display, a printer, and the like.
- Fig. 10 is a schematic structural diagram of another protective device provided by an embodiment of the present application.
- the protective equipment includes a receiving module 141, a processing module 142, and a sending module 143.
- the protective device shown in FIG. 10 is applied to the scene shown in FIG. 1 to realize the function of the protective device 100 therein.
- the receiving module 141 receives a first data stream, the first data stream includes a source IP address and a destination IP address, the source IP address is the IP address of the first electronic device, and the destination IP address is the IP address of the first server;
- the processing module 142 is configured to determine the first device attribute information corresponding to the source IP address, the first device attribute information includes a first device type and a first service type, the first device type is the device type of the first electronic device, and the first service The type is the service type supported by the first device type; the second device attribute information corresponding to the destination IP address is determined, the second device attribute information includes the second device type and the second service type, and the second device type is allowed to access the first server
- the second service type is the service type provided by the first server; when the first device attribute information matches the second device attribute information, the sending module 143 is instructed to forward the first data stream; in the first device attribute information When the attribute information of the second device does not match, the first data stream is blocked.
- the device embodiment described in FIG. 10 is only illustrative.
- the division of the modules is only a logical function division, and there may be other divisions in actual implementation, for example, multiple modules or components may be combined or may be Integrate into another system, or some features can be ignored or not implemented.
- the functional modules in the various embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
- the above-mentioned modules in FIG. 10 can be implemented in the form of hardware or software functional units.
- the receiving module 141 and the processing module 142 may be implemented by software functional modules generated after the processor 131 in FIG. 9 reads the program code stored in the memory.
- the above-mentioned modules in FIG. 10 can also be implemented by different hardware in the network device.
- the receiving module 141 is implemented by the network interface 133 in FIG. 9, and the processing module 142 is implemented by part of the processing resources in the processor 131 in FIG. 9 (for example, Other cores in a multi-core processor), or using programmable devices such as Field-Programmable Gate Array (FPGA) or coprocessor.
- the above functional modules can also be implemented by a combination of software and hardware.
- the receiving module 141 is implemented by the network interface 133
- the processing module 142 is a software functional module generated by the CPU after reading instructions stored in the memory.
- a computer program product refers to computer-readable instructions stored in a computer-readable medium.
- the computer-readable medium may be a computer-readable signal medium or a computer-readable storage medium.
- Computer-readable storage media include, but are not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, equipment or devices, or any appropriate combination of the foregoing.
- the computer-readable storage medium is Random Access Memory (RAM), Read Only Memory (ROM), Erasable Programmable Read Only Memory (EPROM) or portable only memory.
- RAM Random Access Memory
- ROM Read Only Memory
- EPROM Erasable Programmable Read Only Memory
- Read memory Compact Disc Read-Only Memory
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
设备类型 | 业务类型 |
终端 | 业务类型C1、业务类型C2、业务类型C3和业务类型C4 |
电话 | 业务类型D1、业务类型D2和业务类型D3 |
路由器 | 业务类型E1、业务类型E2、业务类型E3、业务类型E4和业务类型E5 |
… | … |
目的IP地址 | 设备类型 | 业务类型 |
20.20.20.21 | 终端、电话和游戏机 | 业务类型D1 |
20.20.20.22 | 路由器 | 业务类型C1 |
… | … | … |
IP地址 | 检测标识 |
20.20.20.21 | 第一标识 |
20.20.20.22 | 第二标识 |
… | … |
Claims (18)
- 一种网络安全防护方法,其特征在于,包括:接收第一数据流,所述第一数据流包括源IP地址和目的IP地址,所述源IP地址为第一电子设备的IP地址,所述目的IP地址为第一服务器的IP地址;确定所述源IP地址对应的第一设备属性信息,所述第一设备属性信息包括第一设备类型和第一业务类型,所述第一设备类型为所述第一电子设备的设备类型,所述第一业务类型为所述第一设备类型支持访问的业务类型;确定所述目的IP地址对应的第二设备属性信息,所述第二设备属性信息包括第二设备类型和第二业务类型,所述第二设备类型为允许访问所述第一服务器的设备类型,所述第二业务类型为所述第一服务器提供服务的业务类型;在所述第一设备属性信息与所述第二设备属性信息相匹配时,转发所述第一数据流;在所述第一设备属性信息与所述第二设备属性信息不匹配时,阻断所述第一数据流。
- 根据权利要求1所述的网络安全防护方法,其特征在于,在确定所述源IP地址对应的第一设备属性信息以前,所述方法还包括:确定所述第一数据流中的所述目的IP地址对应的检测标识,所述检测标识为第一标识或第二标识,所述第一标识用于指示所述第一服务器当前正在被攻击,所述第二标识用于指示所述第一服务器当前未被攻击;在所述检测标识为所述第一标识时,确定所述源IP地址对应的风险值;在所述源IP地址对应的风险值处于第一风险范围内时,阻断所述第一数据流;在所述源IP地址对应的风险值处于第二风险范围内时,执行确定所述源IP地址对应的第一设备属性信息的步骤,所述第一风险范围内的最小值大于所述第二风险范围内的最大值,或者,所述第二风险范围内的最小值大于所述第一风险范围内的最大值,所述第一风险范围内的风险值指示的风险均高于所述第二风险范围内的风险值指示的风险;在所述检测标识为所述第二标识时,转发所述第一数据流。
- 根据权利要求1所述的网络安全防护方法,其特征在于,在确定所述源IP地址对应的第一设备属性信息以前,所述方法还包括:确定所述源IP地址对应的风险值;在所述源IP地址对应的风险值处于第一风险范围内时,阻断所述第一数据流;在所述源IP地址对应的风险值处于第二风险范围内时,执行确定所述源IP地址对应的第一设备属性信息的步骤,所述第一风险范围内的最小值大于所述第二风险范围内的最大值,或者,所述第二风险范围内的最小值大于所述第一风险范围内的最大值,所述第一风险范围内的风险值指示的风险均高于所述第二风险范围内的风险值指示的风险。
- 根据权利要求1所述的网络安全防护方法,其特征在于,在确定所述源IP地 址对应的第一设备属性信息以前,所述方法还包括:确定所述第一数据流中的所述目的IP地址对应的检测标识,所述检测标识为第一标识或第二标识,所述第一标识用于指示所述第一服务器当前正在被攻击,所述第二标识用于指示所述第一服务器当前未被攻击;在所述检测标识为所述第一标识时,执行确定所述源IP地址对应的第一设备属性信息的步骤;在所述检测标识为所述第二标识时,转发所述第一数据流。
- 一种网络安全防护方法,其特征在于,包括:接收第一数据流,所述第一数据流包括源IP地址和目的IP地址,所述源IP地址为第一电子设备的IP地址,所述目的IP地址为所述第一服务器的IP地址;确定所述源IP地址对应的风险值;在所述源IP地址对应的风险值处于第一风险范围内时,阻断所述第一数据流;在所述源IP地址对应的风险值处于第二风险范围内时,根据所述源IP地址和所述目的IP地址确定转发或阻断所述第一数据流,所述第一风险范围内的最小值大于所述第二风险范围内的最大值,或者,所述第二风险范围内的最小值大于所述第一风险范围内的最大值;所述第一风险范围内的风险值指示的风险均高于所述第二风险范围内的风险值指示的风险。
- 根据权利要求5所述的网络安全防护方法,其特征在于,根据所述源IP地址和所述目的IP地址确定转发或阻断所述第一数据流,包括:确定所述源IP地址对应的第一设备属性信息,所述第一设备属性信息包括第一设备类型和第一业务类型,所述第一设备类型为所述第一电子设备的设备类型,所述第一业务类型为所述第一设备类型支持的业务类型;确定所述目的IP地址对应的第二设备属性信息,所述第二设备属性信息包括第二设备类型和第二业务类型,所述第二设备类型为允许访问所述第一服务器的设备类型,所述第二业务类型为所述第一服务器提供服务的业务类型;在所述第一设备属性信息与所述第二设备属性信息相匹配时,转发所述第一数据流;在所述第一设备属性信息与所述第二设备属性信息不匹配时,阻断所述第一数据流。
- 根据权利要求6所述的网络安全防护方法,其特征在于,在确定所述源IP地址对应的第一设备属性信息以前,所述方法还包括:确定所述第一数据流中的所述目的IP地址对应的检测标识,所述检测标识为第一标识或第二标识,所述第一标识用于指示所述第一服务器当前正在被攻击,所述第二标识用于指示所述第一服务器当前未被攻击;在所述检测标识为所述第一标识时,执行确定所述源IP地址对应的第一设备属性信息的步骤;在所述检测标识为所述第二标识时,转发所述第一数据流。
- 一种防护设备,其特征在于,包括网络接口、存储器和与所述存储器连接的处理器,所述存储器用于存储指令;所述网络接口用于接收第一数据流,所述第一数据流包括源IP地址和目的IP地址,所述源IP地址为第一电子设备的IP地址,所述目的IP地址为第一服务器的IP地址;所述处理器用于执行所述指令,以使所述防护设备执行以下操作:确定所述源IP地址对应的第一设备属性信息,所述第一设备属性信息包括第一设备类型和第一业务类型,所述第一设备类型为所述第一电子设备的设备类型,所述第一业务类型为所述第一设备类型支持访问的业务类型;确定所述目的IP地址对应的第二设备属性信息,所述第二设备属性信息包括第二设备类型和第二业务类型,所述第二设备类型为允许访问所述第一服务器的设备类型,所述第二业务类型为所述第一服务器提供服务的业务类型;在所述第一设备属性信息与所述第二设备属性信息相匹配时,通过所述网络接口转发所述第一数据流;在所述第一设备属性信息与所述第二设备属性信息不匹配时,阻断所述第一数据流。
- 根据权利要求8所述的防护设备,其特征在于:所述处理器,还用于确定所述第一数据流中的所述目的IP地址对应的检测标识,所述检测标识为第一标识或第二标识,所述第一标识用于指示所述第一服务器当前正在被攻击,所述第二标识用于指示所述第一服务器当前未被攻击;在所述检测标识为所述第一标识时,确定所述源IP地址对应的风险值;在所述源IP地址对应的风险值处于第一风险范围内时,阻断所述第一数据流;在所述源IP地址对应的风险值处于第二风险范围内时,确定所述源IP地址对应的第一设备属性信息,所述第一风险范围内的最小值大于所述第二风险范围内的最大值,或者,所述第二风险范围内的最小值大于所述第一风险范围内的最大值;所述第一风险范围内的风险值指示的风险均高于所述第二风险范围内的风险值指示的风险;在所述检测标识为所述第二标识时,转发所述第一数据流。
- 根据权利要求8所述的防护设备,其特征在于:所述处理器,还用于确定所述源IP地址对应的风险值;在所述源IP地址对应的风险值处于第一风险范围内时,阻断所述第一数据流;在所述源IP地址对应的风险值处于第二风险范围内时,确定所述源IP地址对应的第一设备属性信息,所述第一风险范围内的最小值大于所述第二风险范围内的最大值,或者,所述第二风险范围内的最小值大于所述第一风险范围内的最大值;所述第一风险范围内的风险值指示的风险均高于所述第二风险范围内的风险值指示的风险。
- 根据权利要求8所述的防护设备,其特征在于:所述处理器,还用于确定所述第一数据流中的所述目的IP地址对应的检测标识, 所述检测标识为第一标识或第二标识,所述第一标识用于指示所述第一服务器当前正在被攻击,所述第二标识用于指示所述第一服务器当前未被攻击;在所述检测标识为所述第一标识时,确定所述源IP地址对应的第一设备属性信息;在所述检测标识为所述第二标识时,转发所述第一数据流。
- 一种防护设备,其特征在于,包括网络接口、存储器和与所述存储器连接的处理器,所述存储器用于存储指令;所述处理器用于执行所述指令,以使所述防护设备执行以下操作:通过所述网络接口接收第一数据流,所述第一数据流包括源IP地址和目的IP地址,所述源IP地址为第一电子设备的IP地址,所述目的IP地址为所述第一服务器的IP地址;确定所述源IP地址对应的风险值;在所述源IP地址对应的风险值处于第一风险范围内时,阻断所述第一数据流;在所述源IP地址对应的风险值处于第二风险范围内时,根据所述源IP地址和所述目的IP地址确定转发或阻断所述第一数据流,所述第一风险范围内的最小值大于所述第二风险范围内的最大值,或者,所述第二风险范围内的最小值大于所述第一风险范围内的最大值;所述第一风险范围内的风险值指示的风险均高于所述第二风险范围内的风险值指示的风险。
- 根据权利要求12所述的防护设备,其特征在于:所述处理器,具体用于确定所述源IP地址对应的第一设备属性信息,所述第一设备属性信息包括第一设备类型和第一业务类型,所述第一设备类型为所述第一电子设备的设备类型,所述第一业务类型为所述第一设备类型支持的业务类型;确定所述目的IP地址对应的第二设备属性信息,所述第二设备属性信息包括第二设备类型和第二业务类型,所述第二设备类型为允许访问所述第一服务器的设备类型,所述第二业务类型为所述第一服务器提供服务的业务类型;在所述第一设备属性信息与所述第二设备属性信息相匹配时,指示所述网络接口转发所述第一数据流;在所述第一设备属性信息与所述第二设备属性信息不匹配时,阻断所述第一数据流。
- 根据权利要求13所述的防护设备,其特征在于:所述处理器,还用于确定所述第一数据流中的所述目的IP地址对应的检测标识,所述检测标识为第一标识或第二标识,所述第一标识用于指示所述第一服务器当前正在被攻击,所述第二标识用于指示所述第一服务器当前未被攻击;在所述检测标识为所述第一标识时,确定所述源IP地址对应的第一设备属性信息;在所述检测标识为所述第二标识时,指示所述网络接口转发所述第一数据流。
- 一种防护设备,其特征在于,包括:接收模块,接收第一数据流,所述第一数据流包括源IP地址和目的IP地址,所述源IP地址为第一电子设备的IP地址,所述目的IP地址为第一服务器的IP地址;处理模块,用于确定所述源IP地址对应的第一设备属性信息,所述第一设备属性信息包括第一设备类型和第一业务类型,所述第一设备类型为所述第一电子设备的设 备类型,所述第一业务类型为所述第一设备类型支持访问的业务类型;确定所述目的IP地址对应的第二设备属性信息,所述第二设备属性信息包括第二设备类型和第二业务类型,所述第二设备类型为允许访问所述第一服务器的设备类型,所述第二业务类型为所述第一服务器提供服务的业务类型;在所述第一设备属性信息与所述第二设备属性信息相匹配时,指示发送模块转发所述第一数据流;在所述第一设备属性信息与所述第二设备属性信息不匹配时,阻断所述第一数据流。
- 一种防护设备,其特征在于,包括:接收模块,接收第一数据流,所述第一数据流包括源IP地址和目的IP地址,所述源IP地址为第一电子设备的IP地址,所述目的IP地址为第一服务器的IP地址;处理模块,确定所述源IP地址对应的风险值;在所述源IP地址对应的风险值处于第一风险范围内时,阻断所述第一数据流;在所述源IP地址对应的风险值处于第二风险范围内时,根据所述源IP地址和所述目的IP地址确定转发或阻断所述第一数据流,所述第一风险范围内的最小值大于所述第二风险范围内的最大值,或者,所述第二风险范围内的最小值大于所述第一风险范围内的最大值;所述第一风险范围内的风险值指示的风险均高于所述第二风险范围内的风险值指示的风险。
- 一种计算机存储介质,其特征在于,包括计算机指令,当所述计算机指令在网络设备上运行时,使得所述网络设备执行如权利要求1-7中任一项所述的方法。
- 一种计算机程序产品,其特征在于,当其在计算机上运行时,使得计算机执行如权利要求1-7中任一项所述的方法。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA3158824A CA3158824A1 (en) | 2019-12-31 | 2020-09-11 | Network security protection method and protection device |
MX2022008154A MX2022008154A (es) | 2019-12-31 | 2020-09-11 | Metodo de proteccion de seguridad de red y dispositivo de proteccion. |
EP20909365.7A EP4050859A4 (en) | 2019-12-31 | 2020-09-11 | NETWORK SECURITY PROTECTION METHOD AND PROTECTION DEVICE |
JP2022537782A JP7462757B2 (ja) | 2019-12-31 | 2020-09-11 | ネットワークセキュリティ保護方法及び保護デバイス |
US17/851,195 US20220329609A1 (en) | 2019-12-31 | 2022-06-28 | Network Security Protection Method and Protection Device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911408206.7 | 2019-12-31 | ||
CN201911408206.7A CN113132308B (zh) | 2019-12-31 | 2019-12-31 | 一种网络安全防护方法及防护设备 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/851,195 Continuation US20220329609A1 (en) | 2019-12-31 | 2022-06-28 | Network Security Protection Method and Protection Device |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021135382A1 true WO2021135382A1 (zh) | 2021-07-08 |
Family
ID=76685902
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/114685 WO2021135382A1 (zh) | 2019-12-31 | 2020-09-11 | 一种网络安全防护方法及防护设备 |
Country Status (7)
Country | Link |
---|---|
US (1) | US20220329609A1 (zh) |
EP (1) | EP4050859A4 (zh) |
JP (1) | JP7462757B2 (zh) |
CN (1) | CN113132308B (zh) |
CA (1) | CA3158824A1 (zh) |
MX (1) | MX2022008154A (zh) |
WO (1) | WO2021135382A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022156278A1 (zh) * | 2021-01-22 | 2022-07-28 | 华为技术有限公司 | 防护设备中的流量处理方法及防护设备 |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11757929B2 (en) * | 2021-05-27 | 2023-09-12 | Pantheon Systems, Inc. | Traffic-shaping HTTP proxy for denial-of-service protection |
CN114363386B (zh) * | 2021-12-31 | 2024-04-12 | 中控创新(北京)能源技术有限公司 | 工控安全管理装置和油气管道控制系统 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104901960A (zh) * | 2015-05-26 | 2015-09-09 | 汉柏科技有限公司 | 一种基于告警策略的网络安全管理设备及方法 |
US20160142293A1 (en) * | 2013-07-26 | 2016-05-19 | Huawei Technologies Co., Ltd. | Packet sending method, router, and service switching entity |
CN107426168A (zh) * | 2017-05-23 | 2017-12-01 | 国网山东省电力公司电力科学研究院 | 一种网络安全访问处理方法及装置 |
CN109587156A (zh) * | 2018-12-17 | 2019-04-05 | 广州天懋信息系统股份有限公司 | 异常网络访问连接识别与阻断方法、系统、介质和设备 |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001057554A (ja) | 1999-08-17 | 2001-02-27 | Yoshimi Baba | クラッカー監視システム |
US20020032871A1 (en) * | 2000-09-08 | 2002-03-14 | The Regents Of The University Of Michigan | Method and system for detecting, tracking and blocking denial of service attacks over a computer network |
JP2004038557A (ja) | 2002-07-03 | 2004-02-05 | Oki Electric Ind Co Ltd | 不正アクセス遮断システム |
JP2006148778A (ja) | 2004-11-24 | 2006-06-08 | Nippon Telegr & Teleph Corp <Ntt> | パケット転送制御装置 |
JP5088830B2 (ja) | 2008-10-30 | 2012-12-05 | 岩崎通信機株式会社 | パケット通過制御方法 |
JP5110538B2 (ja) | 2009-07-16 | 2012-12-26 | Necアクセステクニカ株式会社 | ネットワークシステム、ネットワーク装置、ネットワーク方法及びプログラム |
JP5300076B2 (ja) | 2009-10-07 | 2013-09-25 | 日本電気株式会社 | コンピュータシステム、及びコンピュータシステムの監視方法 |
CN105991628A (zh) * | 2015-03-24 | 2016-10-05 | 杭州迪普科技有限公司 | 网络攻击的识别方法和装置 |
CN106714076A (zh) * | 2015-11-12 | 2017-05-24 | 中兴通讯股份有限公司 | 一种触发mtc设备的方法和装置 |
CN107465651B (zh) * | 2016-06-06 | 2020-10-02 | 腾讯科技(深圳)有限公司 | 网络攻击检测方法及装置 |
CN107493276B (zh) * | 2017-08-08 | 2020-04-07 | 北京神州绿盟信息安全科技股份有限公司 | 一种网络安全防护的方法及装置 |
CN108521408B (zh) * | 2018-03-22 | 2021-03-12 | 平安科技(深圳)有限公司 | 抵抗网络攻击方法、装置、计算机设备及存储介质 |
-
2019
- 2019-12-31 CN CN201911408206.7A patent/CN113132308B/zh active Active
-
2020
- 2020-09-11 MX MX2022008154A patent/MX2022008154A/es unknown
- 2020-09-11 WO PCT/CN2020/114685 patent/WO2021135382A1/zh unknown
- 2020-09-11 EP EP20909365.7A patent/EP4050859A4/en active Pending
- 2020-09-11 JP JP2022537782A patent/JP7462757B2/ja active Active
- 2020-09-11 CA CA3158824A patent/CA3158824A1/en active Pending
-
2022
- 2022-06-28 US US17/851,195 patent/US20220329609A1/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160142293A1 (en) * | 2013-07-26 | 2016-05-19 | Huawei Technologies Co., Ltd. | Packet sending method, router, and service switching entity |
CN104901960A (zh) * | 2015-05-26 | 2015-09-09 | 汉柏科技有限公司 | 一种基于告警策略的网络安全管理设备及方法 |
CN107426168A (zh) * | 2017-05-23 | 2017-12-01 | 国网山东省电力公司电力科学研究院 | 一种网络安全访问处理方法及装置 |
CN109587156A (zh) * | 2018-12-17 | 2019-04-05 | 广州天懋信息系统股份有限公司 | 异常网络访问连接识别与阻断方法、系统、介质和设备 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022156278A1 (zh) * | 2021-01-22 | 2022-07-28 | 华为技术有限公司 | 防护设备中的流量处理方法及防护设备 |
Also Published As
Publication number | Publication date |
---|---|
CN113132308B (zh) | 2022-05-17 |
CA3158824A1 (en) | 2021-07-08 |
CN113132308A (zh) | 2021-07-16 |
MX2022008154A (es) | 2022-07-21 |
EP4050859A4 (en) | 2022-12-28 |
JP2023508302A (ja) | 2023-03-02 |
JP7462757B2 (ja) | 2024-04-05 |
US20220329609A1 (en) | 2022-10-13 |
EP4050859A1 (en) | 2022-08-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11671402B2 (en) | Service resource scheduling method and apparatus | |
US20240031400A1 (en) | Identifying Malware Devices with Domain Name System (DNS) Queries | |
WO2021135382A1 (zh) | 一种网络安全防护方法及防护设备 | |
US10193890B2 (en) | Communication apparatus to manage whitelist information | |
US11843532B2 (en) | Application peering | |
EP2615793A1 (en) | Methods and systems for protecting network devices from intrusion | |
US11057436B1 (en) | System and method for monitoring computing servers for possible unauthorized access | |
US11316861B2 (en) | Automatic device selection for private network security | |
JP2007200323A (ja) | Sipベースのアプリケーションを保護する方法 | |
US20230198939A1 (en) | System And Method For Remotely Filtering Network Traffic Of A Customer Premise Device | |
US10728171B2 (en) | Governing bare metal guests | |
US11115435B2 (en) | Local DDOS mitigation announcements in a telecommunications network | |
CN110995586A (zh) | 一种bgp报文的处理方法、装置、电子设备及存储介质 | |
US20110216770A1 (en) | Method and apparatus for routing network packets and related packet processing circuit | |
KR102046612B1 (ko) | Sdn 기반의 dns 증폭 공격 방어시스템 및 그 방법 | |
TWI732708B (zh) | 基於多接取邊緣運算的網路安全系統和網路安全方法 | |
CN110768983B (zh) | 一种报文处理方法和装置 | |
FI129827B (en) | Authorization of time-synchronized messages | |
Liu et al. | Community Cleanup: Incentivizing Network Hygiene via Distributed Attack Reporting | |
WO2009143750A1 (zh) | 基于tnc的终端数据管理、终端安全评估方法、装置和系统 | |
KR102274589B1 (ko) | 국제전화 이상트래픽 피해 방지를 위한 시스템 및 방법 | |
CN117640167A (zh) | 安全防护方法、装置、存储介质、程序产品及电子设备 | |
WO2015066996A1 (en) | A method and system for implementing ng-firewall, a ng-firewall client and a ng-firewall server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20909365 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 3158824 Country of ref document: CA |
|
ENP | Entry into the national phase |
Ref document number: 2020909365 Country of ref document: EP Effective date: 20220525 |
|
ENP | Entry into the national phase |
Ref document number: 2022537782 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |